From owner-freebsd-security@FreeBSD.ORG Mon Mar 13 11:50:38 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5203F16A41F for ; Mon, 13 Mar 2006 11:50:37 +0000 (UTC) (envelope-from eol1@yahoo.com) Received: from web51908.mail.yahoo.com (web51908.mail.yahoo.com [206.190.48.71]) by mx1.FreeBSD.org (Postfix) with SMTP id BA26A43D4C for ; Mon, 13 Mar 2006 11:50:36 +0000 (GMT) (envelope-from eol1@yahoo.com) Received: (qmail 4148 invoked by uid 60001); 13 Mar 2006 11:50:31 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=pI6cCaefZ6ZXXXDs8KS/ZyZrmnQd6nvEiZOc/QdoOMrDIj4SL4fQdHjw83BL1IXBwtle91C4WMgS5p0otG2AIdzwq+5SRroU/MOGGu7KPgLXdogi/B2MryVGfVMjSqw+czgJsqVoB6qVRqHBXdXIDTfwtpNOZVJ9Xv3aLXaU/f0= ; Message-ID: <20060313115031.4146.qmail@web51908.mail.yahoo.com> Received: from [212.118.13.163] by web51908.mail.yahoo.com via HTTP; Mon, 13 Mar 2006 03:50:31 PST Date: Mon, 13 Mar 2006 03:50:31 -0800 (PST) From: Peter Thoenen To: Jason M , freebsd-security@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: DSD Approved Products X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: eol1@yahoo.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Mar 2006 11:50:38 -0000 > I am considering installing several `servers' in a facility that > needs to conform with the products listed at: DSD Approved Products You might want to contact your local government security wonk and ask him if there is a open source loop hole. The US Department of Defense has a similar requirement that all Infosec / IA / crypto / blah blah items must be approved by CSLA or various CSLA like agencies (forgot what established this .. been awhile .. want to say some DOD /DISA / DODI / CJCSI reg). Lots of good tools are open source though and the cost of getting certified is outrageous with limited actual returns to the software in question. To combat this, a loophole was created to exempt open source software. You might have the same in Australia. > As far as i can see freebsd performs above and beyond, for all the > required criteria in the act. Can we see freebsd listed as an approved > product in the near future? I know for CSLA and NIST the process runs in the US$40.000 plus range. You fork the money over and you just might see it. The problem isn't getting on the list / meeting the requirements. Its that the agency that puts out this list requires the entity seeking approval to pay for all associated costs to confirm your software / hardware does indeed meet all the requirements. This can get expensive quick .. especially if you do not pass the first time.